Topic: [SOLVED] SME Server OpenVPN bridge with CentOS7

[deathsonic18]

Hey everyone,

I have setup a router using SME Server along with a OpenVPN bridge with a private and public key; I am now trying to configure OpenVPN on CentOS 7 to work hand in hand with SME bridge. I have gotten my publickey certificate (.pem format) and publickey (.pem format) and uploaded them to /etc/openvpn/keys.

Inside the SME Server OpenVPN setup; it as already created CA Cerf, Server Cerf, Server pirate key, DH and static key.

I only need to bridge centos through the SME openvpn bridge.

Now I have created a "client.conf" file in /etc/openvpn/ with the follow text:

port 1194
port udp
dev tun
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
reneg-sec 0
key /etc/openvpn/keys/<keyname>.pem (cerf)
dh /etc/openvpn/keys/<keyname>.pem (key)
server-bridge 192.168.87.1 255.255.255.0 192.168.87.5 192.168.78.50
keepalive 10 120
comp-lzo
persist-key
persist-tun

   

Would anyone have any knowledge to guide me where I have gone wrong?

Greatly appreciated

When I start OpenVPN on CentOS7 I'm getting

Failed to start openvpn.service: Unit openvpn.service failed to load: No such file or directory

[Stefano]

well.. it looks like a C7 issue..

is there anything interesting in the logs? on C7 side, I mean

[deathsonic18]

So I just entered the location for the logs inside the client.conf to "/var/log/"
After I ran openvpn, there where no logs files; I also checked "/usr/local" and still nothing so after.
Would there maybe another location I can search?

[Daniel B.]

Bridge mode uses tap interface, not tun. You'd better start with the sample config available from the panel in the server-manager

[deathsonic18]

I just found the sample Daniel B, it was a great help! I didn't even know it was there. 

I just have one question,

pkcs12 user.p12 = PKCS#12 Bundle
cert user.pem = PEM Certificate
key user-key.pem = PEM Key

What type of public key download is "cacert.pem" ? does it mean PEM Bundle or PEM Bundle w/Root?

[Daniel B.]

You either need to use PKCS or PEM, not both (PCKS is a format which bundles the cert, the cacert and the key in a single file). If you want to use PEM format, cacert is the CA, you can get it from the home page of PHPki (or in the PEM bundle W/Root, it's the last certificate in this file)

[deathsonic18]

Now that I have configured the client.conf (using PCKS Bundle & sample),

I am getting an error saying with line 11, which is "/etc/openvpn/keys/<PCKS Bundle Key>.p12"

Instead of linking it to the key bundle should I install it in CentOS?

[Daniel B.]

I am getting an error saying with line 11, which is "/etc/openvpn/keys/<PCKS Bundle Key>.p12"

What is the error you're seeing ?

Instead of linking it to the key bundle should I install it in CentOS?

I don't understand what you mean here.

[deathsonic18]

So the error that is coming up when I run "openvpn /etc/openvpn/client.conf" is

Unrecognized option or missing parameter(s) in /etc/openvpn/client.conf:11: /etc/openvpn/keys/PublicKey.p12 (2.3.10)

Now my client.conf is

rport 1194
proto udp
dev tap
nobind
remote clientrouter.client.gee

tls-client
tls-auth takey.pem 1
ns-cert-type server

/etc/openvpn/keys/PublicKey.p12

mtu-test
comp-lzo
pull

It seems like CentOS can't find the .p12 file is, I am sure it is inside /etc/openvpn/keys because I applied a "ls" command to search the directory. Is there a way to implanting the .p12 key inside the system? I did some research and nothing really came up.

[Daniel B.]

You removed the pkcs12 directive. This line should be

Code: [Select]

pkcs12 /etc/openvpn/keys/PublicKey.p12

Also, be sure to set the correct path for the takey.pem file (easier to set an absolute path)

[deathsonic18]

Brilliant adding pkcs12 solved the issue 

Now yes the next problem was the takey.pem file; I'm not sure which public key file type it is. PKCS#12 or PEM Cerf. or PEM Key or PEM Bundle or PEM Bundle w/root ?

[Daniel B.]

It's the static pre-shared key you can get on the home page of PHPki

[deathsonic18]

Thank you so much Daniel, I had no idea what takey.pem file actually meant.

Everything is up and running after I copied the tekey.pem file to /etc/openvpn/keys and when I ran the openvpn

openvpn /etc/openvpn/keys

Check on in server-manger -openvpn-birdge - display connect clients; it shows that is client connected.

Thank you so much, you are a life saver! 

[Stefano]

well.. time for a little donation, isn't it?

[deathsonic18]

Why yes it is time for a little donation! 

Now just to find out why the openvpn bridge connection is disconnecting at times

[Update Problem solved] from https://forums.contribs.org/index.php/topic,52253.0.html

[deathsonic18]

btw, for anyone out there;
if you'll like to turn this openvpn into a service inside CentOS; simply use

Code: [Select]

sudo systemctl -f enable openvpn@newclient.serviceThen you may access it from /usr/lib/systemd/system
then you vi/nano

Code: [Select]

openvpn@newclient.serviceFrom there, you use

Code: [Select]

--config <the location of your config file> i.e. /etc/openvpn/client.conf and other advanced settings

[Daniel B.]

You don't need to edit a openvpn@newclient.service file, especially in /usr/lib/systemd/system (if you have to create your service file, just do it in /etc/systemd/system). Just create your config file /etc/openvpn/newclient.conf and enabled and start the openvpn@newclient.service. That's it. Nothing else to do.

[deathsonic18]

Daniel, I have tried to implement DuplicateCN enabled inside the sme server console using

Code: [Select]

openvpn --dupliacteCN enabled
however it can not take the command 

[Daniel B.]

Code: [Select]

db configuration setprop openvpn-bridge duplicateCN enabled
signal-event openvpn-bridge-update